[jcoglan]

Relying on the way you happen to combine data, instead of using a function that's designed for authentication and has baked-in a safe way to combine the inputs, is a bad idea. "What if $EDGE_CASE_OF_INAPPROPRIATE_CRYPTO_FUNCTION" is never a good question to ask. Just use the right tools in the first place.

[exit]

> "What if $EDGE_CASE_OF_INAPPROPRIATE_CRYPTO_FUNCTION" is never a good question to ask. Just use the right tools in the first place.

that's not an intelligent attitude.

understanding where an edge case breaks down is still illuminating, regardless of whether i use hmac in the end.

[rlpb]

> Just use the right tools in the first place.

There are two reasons to ask the question.

The first reason is because the questioner is looking for an excuse to use something different. In this case, your answer is the right answer.

The second reason is because the questioner wants to learn more about how cryptography works, for educational value. In this case, your answer is not helpful.